search

spdx / cdx2spdx

Utility that converts SBOM documents from CycloneDX to SPDX
Apache License 2.0
29 stars 9 forks source link

cdx2spdx doesn't handle "LicenseRef" license IDs properly #43

Open fschoenm opened 1 month ago

fschoenm commented 1 month ago

I tried to convert a CycloneDX file that contains some non-SPDX-compliant licenses that were already called "LicenseRef-Proprietary" in the CDX file. cdx2spdx (version 0.1.5) seems to not handle that situation well because it prefixes it with another "LicenseRef". Maybe it could check if the license name is already SPDX-compliant.

This is part of the output (see the duplicate "LicenseRef" prefix):

  "packages" : [ {
    "SPDXID" : "SPDXRef-pkg-conan-[...]",
    "annotations" : [ {
      "annotationDate" : "2024-10-18T13:45:42Z",
      "annotationType" : "OTHER",
      "annotator" : "Tool: CycloneToSpdx",
      "comment" : "MISSING_CDX_PROPERTY:componentType=\"LIBRARY\""
    } ],
    "copyrightText" : "NOASSERTION",
    "description" : "[...]",
    "downloadLocation" : "NOASSERTION",
    "externalRefs" : [ {
      "referenceCategory" : "PACKAGE-MANAGER",
      "referenceLocator" : "pkg:conan/[...]",
      "referenceType" : "purl"
    } ],
    "filesAnalyzed" : false,
    "licenseConcluded" : "NOASSERTION",
    "licenseDeclared" : "LicenseRef-LicenseRef-Proprietary",
    "name" : "[...]",
    "originator" : "Person: [...]",
    "primaryPackagePurpose" : "LIBRARY",
    "supplier" : "Organization: [...]",
    "versionInfo" : "0.3.1"
  }, {
goneall commented 1 month ago

Thanks @fschoenm - agree with your suggestion. I'm working on upgrading the utility to support the SPDX 3.0 spec - after that, I'll look into implementing your suggestion.